Is my Exchange Server ready for Windows Extended Protection (WEP)?

-

In their continued effort to improve the security of on-premise Exchange Servers, Microsoft released another security update for all current Exchange Server versions in August 2022.

In addition to this update, Microsoft highly recommends administrators to enable the so called Windows Extended Protection (WEP) on their Exchange Servers. The extended protection “enhances the existing Windows authentication functionality in order to mitigate authentication relay or “man in the middle” attacks.” However, enabling WEP is tied to quite a lot of prerequisites, and understanding them can be a difficult and time consuming task.

In order to help you quickly determining if you are ready for WEP, we developed the following questionnaire to help you identifying, and possibly solving any problems that may prevent you from enabling it right away.

Questionnaire

Following you will find some questions about your Exchange environment. If you answer any of these questions with yes, you should NOT enable the Windows Extended Protection. By clicking on each question, you will find additional information and get further advice about how to meet the prerequisites.

If you have any Exchange 2013 Servers that are hosting public folder mailboxes, public folders will no longer be accessible after enabling WEP. If you are running in coexistence with Exchange 2016 or 2019 servers, you must migrate your public folders to the newer environment, before you enable WEP.

If you have any Exchange 2016 servers that are still running on CU 22 and are hosting your public folder hierarchy, you should consider upgrading to CU 23 (or newer). Otherwise, public folders will no longer be accessible. Another option would be, to move your hierarchy to a server that has already been upgraded to a newer CU.

If you have any Exchange 2019 servers that are still running on CU 11 and are hosting your public folder hierarchy, you should consider upgrading to CU 12 (or newer). Otherwise, public folders will no longer be accessible. Another option would be, to move your hierarchy to a server that has already been upgraded to a newer CU.

If you are using retention policies to move mails from your user’s mailboxes to their archive mailboxes, this functionality will be broken after enabling WEP. Microsoft said, that they will provide a fix for this in the near future.

If you are running an Exchange hybrid environment in “Modern Hybrid” mode, enabling WEP is not supported. Microsoft is giving some advice on how to safeguard environments running in Modern Hybrid mode here.

Using SSL Offloading will cause WEP to fail and therefore is not supported.

If you are using SSL Bridging between your load balancer and your Exchange Servers, you must make sure, that both, the load balancer and your Exchange Servers have the same SSL certificate installed. Otherwise, WEP will fail.

If you are not consistently using TLS 1.2 across all of your Exchange Servers, or if you are not sure, you should follow this guide on how to make the registry settings needed for TLS 1.2.

If you do or if you are not sure, you should definitely ask the developer of your third-party software, if it will work with WEP. Note that enabling WEP will mostly affect applications connecting to your Exchange Servers using its web services. Software that as an example is running as a transport agent will not be affected.

Conclusion

Enabling WEP on your Exchange Servers is bound to quite a few prerequisites. But the benefits in terms of security are enormous, and the changes that you may need to implement are well worth the effort.

If you want to find out more about the topic, check our the links below, as they contain lots of well maintained information about everything related to the August 2022 security update and WEP.

More on this topic

Follow me on Twitter

Share this article

Recent posts

Popular categories

Leave a reply

Please enter your comment!
Please enter your name here

three × three =

Recent comments